VLAN for Management Traffic

Similar Messages

• Separate VLAN for manag. only on wire?

  I'm having hard time trying to understand how to configure Aironet 1200 in a way such that I have two VLANs (for example X and Y, both not 1) so that I have X for only management and management is not seen on wireless side at all, and Y for public traffic.
  I went thru' all the old postings about this subject but found no complete example of running config to do it. If anyone has successfully completed doing this, please, can you post a example of IOS command listing how to do it.
  Regards,
  Pauli Borodulin

  Here is a working config that I have. I have two wireless vlans (186, 187) and a third ethernet only vlan (101) which is the management vlan.
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 186 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
  encryption vlan 186 key 2 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
  encryption vlan 186 key 3 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
  encryption vlan 186 key 4 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
  encryption vlan 186 mode wep mandatory
  encryption vlan 187 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
  encryption vlan 187 mode wep mandatory
  ssid weponly
  vlan 186
  authentication open
  ssid wepeap
  vlan 187
  authentication open eap eap_methods
  authentication network-eap eap_methods
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
  rts threshold 2312
  channel 2412
  station-role root
  no cdp enable
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.186
  encapsulation dot1Q 186
  no ip route-cache
  no cdp enable
  bridge-group 186
  bridge-group 186 subscriber-loop-control
  bridge-group 186 block-unknown-source
  no bridge-group 186 source-learning
  no bridge-group 186 unicast-flooding
  bridge-group 186 spanning-disabled
  interface Dot11Radio0.187
  encapsulation dot1Q 187
  no ip route-cache
  no cdp enable
  bridge-group 187
  bridge-group 187 subscriber-loop-control
  bridge-group 187 block-unknown-source
  no bridge-group 187 source-learning
  no bridge-group 187 unicast-flooding
  bridge-group 187 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  ntp broadcast client
  interface FastEthernet0.101
  encapsulation dot1Q 101 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.186
  encapsulation dot1Q 186
  no ip route-cache
  bridge-group 186
  no bridge-group 186 source-learning
  bridge-group 186 spanning-disabled
  interface FastEthernet0.187
  encapsulation dot1Q 187
  no ip route-cache
  bridge-group 187
  no bridge-group 187 source-learning
  bridge-group 187 spanning-disabled
  interface BVI1
  ip address 172.25.101.17 255.255.255.0
  no ip route-cache
  ip default-gateway 172.25.101.1

• Change cipher strength for management traffic

  Hi All,
  I’m performing a new deployment for my customer on a C370 Ironport and my customer has an internal team performing a band test on the Ironport box. The results show that the management traffic (HTTPS) is only using medium strength traffic (56bits – 112bits) in which does not meet the compliance of the organization. From the knowledge base, I checked that our management traffic is using either RC4-SHA or RC4-MD5. Any way to change this to AES or 3DES?
  Besides that, in the band test, customer also notices that the box supports anonymous SSL ciphers. Any way to disable this?
  Thanks.

  Hi there,
  check out these articles:
  Article #1399: How can I alter what ciphers are used with the Graphical User Interface (GUI)? Can I disable SSL v2 for the GUI? Link: http://tools.cisco.com/squish/80676
  Article #1367: How do I prevent the IronPort appliance from negotiating null or anonymous ciphers? Link: http://tools.cisco.com/squish/3637E
  So to exclude low and anonymous ciphers, sompthing like this would apply:
  HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH
  Hope that helps,
  Andreas

• VLAN trunking, native vlan and management vlan

  Hello all,
  In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
  We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.

  To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
  Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
  When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
  I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
  Regards,
  Leo

• JumboFrames on cisco3750g for iSCSI traffic

  Hello Communality,
  I need you help!
  here is the goal: connect SAN and vmware ESXi by iSCSI via cisco3750g.
  on cisco I'm using a separated vlan for iSCSI traffic.
  So after turning on the JumboFrames on cisco ( system mtu jumbo 9000 > reload) I was trying to test it using PING command from the switch without success :-(
  #show system mtu
  System MTU size is 1500 bytes
  System Jumbo MTU size is 9000 bytes
  System Alternate MTU size is 1500 bytes
  Routing MTU size is 1500 bytes
  #ping 192.168.0.21 size 9000 df-bit repeat 1
  Type escape sequence to abort.
  Sending 1, 9000-byte ICMP Echos to 192.168.0.21, timeout is 2 seconds:
  Packet sent with the DF bit set
  Success rate is 0 percent (0/1)
  #show int gi1/0/3 mtu
  Port      Name               MTU
  Gi1/0/3   iSCSI              9000     
  #show vlan mtu
  VLAN    SVI_MTU    MinMTU(port)      MaxMTU(port)     MTU_Mismatch
  1    1500          9000              9000              No
  192   1500          9000              9000              No
  #show ru int gi1/0/3                        
  Building configuration...
  Current configuration : 108 bytes
  interface GigabitEthernet1/0/3
   description iSCSI
   switchport access vlan192
   switchport mode access
  end
  thanks!

  Hello
  Does the interface need to be an access port or trunk?
  res
  Paul

• Question about setting vlan for Video Teleconference Equipment

  We recently purchased some Video Teleconference equipment (Product called LifeSize). Initially we had configured a seperate vlan for VTC traffic and when a user needed to move the vtc equipment to a different room for a meeting, we would have to manually go in change the vlan assignment on the switch for that port to the VTC vlan. From my understanding, there is a way to set this up so that anytime the vtc is plugged into any switch port, the port would automatically update to the proper VTC vlan. Is there a way to configure the switch to change the vlan option anytime the VTC equipment is plugged into any switchport? We are using Cisco 3750G series switches. There is an option on the VTC equipment for vlan configuration where we can specify the vlan. However, we we set the vlan, we loose connectivity to the device. If the vlan is preconfigured on the VTC equipment, what is the proper configuration on the switch port?
  Thx in advance for any help given.

  You would need a radius server to do 802.1x authentication. The radius server can associate the vlan you want to use with the authentication. So basically the device connects to the switch port, the device is challenged for credentials by the switch, it responds and then the switch passes the authentication details to the radius server. If the authentication was succesful the radius server can then pass a number of attributes back to the switch one of which is the vlan the port is to be assigned to.
  There is an additional issue with your setup in that generally 802.1x is used to authenticate clients which have an 802.1x supplicant on it but i suspect your equipment won't. So you can configure the mac authentication bypass feature. What happens here is the switch challenges your equipment but there is no response. Once the challenge has timed out you can configure the switch to then use the mac address of the connected device to authenticate it to the radius server.
  Here is the link for configuring 802.1x on the 3750 switch -
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1205506
  Note the restrictions just in case they affect your setup.
  As for the radius server the Cisco version is ACS. There are others but you would need to make sure they supported everything needed.
  Final point. I have never used 802.1x to do dynamic vlan assignment so i can't guarantee anything.
  Jon

• Question in regard to management VLAN for each Context in ACE module

  Dear Pros,
  I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
  1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
  2) If it does require that, what IP address should I used for default route in each context.
  I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
  Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
  Any suggestions or if you can point me to location as always will be greatly apprecaited.
  Thanks and best regards.
  Raman Azizian

  Hi,
  you have several options to choose from.
  1. Use Admin context for management
  You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
  + Easy and straightforward
  - snmp and syslog are using the ip from each individual context and not the management IP
  2. Use a Large subnet and assign an IP address in each context for management.
  You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
  + each context has its own managment address
  - static routes need to be added
  3. Use your client-side ip address (or BVI) as management address.
  You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
  + no static routes needed
  - inline management
  Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
  If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
  HTH,
  Dario

• Is it possible to use management Vlan as FT Vlan for ACE4710?

  Is it allowed to configure ACE4710 management vlan as a FT vlan between two appliances? If allowed, what's the consequence of not using a dedicated FT Vlan?
  Thanks a lot

  You should not have any other traffic on the dedicated FT vlan.
  This is from the docs.
  Note Do not use this dedicated VLAN for any other network traffic, including HSRP and data
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/administration/guide/redundcy.html#wp999787
  Having any other traffic on this vlan could cause a problem with FT heart beats being dropped, and both ACE could become active. Definitely use a dedicated FT Vlan.
  Regards
  Jim

• Configuring Management VLAN for standalone Nexus 5k

  Hi All,
  The architecture in the attachment doesnt require redundancy and hence has a single N5k with N2k as FEX. The setup is working fine except for the management vlan and mgmt 0 interface being down.
  As of now, mgmt0 interface has no link connected to it. The VLAN for nexus management is also down as mgmt0 cant be assigned to vlans.. Configuring management IP to Loopback interface also doesnt allow adding the same to management vlan.
  Is mgmt0 an RJ45 compatible port with N5596? and is there a way I can have out of band management for Nexus 5596? Is there a way I can assign a management IP to the FEX?
  Thanks for the inputs.
  Thanks,
  Bala S

  Hello Balachandhar,
  Mgmt interface on N5K exists to provide out of band management to the device.
  Mgmt interface belongs to management vrf. You can reach the N5K on mgmt interface once you configure IP to mgmt interface and connect it to upstream switch port belonging to mgmt vlan.
  The FEX cannot be seperately managed. You need to connect to the parent N5K device and manage it.
  HTH
  Padma

• VLAN prioritization for SAN traffic

  I have a stack of 3750's running two VLANs, one for NFS traffic (id 130) and one for iSCSI traffic (id 150). I have jumbo framing (MTU 9000) on VLAN 150. I'd like to try prioritizing the iSCSI traffic using 802.1p. Can anyone point me to some configuration help? Does anyone have any thoughts or experiences with this idea? Thanks!

  The MDS GE/iSCSI interface can set the DSCP value on outbound IP packets, but that is in the IP header (layer 3). From what I recall, the 802.1p bits are in the Layer 2 field between the MAC addresses and the Ethernet type, and from what I understand, the MDS does not provide any marking at that level.
  You could mark via 802.1p inbound on the Ethernet Switch that the MDS GE port is attached to, but not directly out of the MDS GE port.
  If you are interested in marking iSCSI using DSCP, here is web page describing how you set the iSCSI interface for the desired DSCP value.
  Hope this helps,
  Mike

• Management traffic to the ACE

  Do i need to explicitly define management traffic coming to the ace module, i see in a lot of configurations that they allow managerment traffic in a special class to the ace?
  also it is necessary to apply an access-list to the ace module to accept traffic for the vip, what if i do not use any access-list on the ace, will the traffic go through?

  Yes you need to define allowed traffic to the ace. The ace acts as an implicit deny. It will block everything until you allow it. The first policy/class match that you should define is the management traffic class.
  access-list ALL line 8 extended permit ip any any
  class-map type management match-any remote_access
  2 match protocol xml-https any
  4 match protocol icmp any
  5 match protocol telnet any
  6 match protocol ssh any
  7 match protocol http any
  8 match protocol https any
  policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
  permit
  interface vlan 121
  ip address
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown

• Transparent vlan and management of remote switch

  Hi,
  I'm a bit confused regarding the native Vlan of 1262 bridge ...
  My design is LAN---RAP ---- MAP---remote-SWITCH with two Vlan : one for the data and one for the management.
  I keep the vlan 1 for management at this point, but I'm still unable to access the remote switch.
  On LAN side, the switch port is on trunk mode (native vlan 1 and vlan 2 allowed)
  On RAP the Gigabit Ethernet is on normal mode
  On MAP the Gigabit Ethernet is on normal mode
  On remote-SWitch, the switch port is on trunk mode (native vlan 1 and vlan 2 allowed)
  Transparent vlan is disabled on WLC and Ethernet Bridging is checked for both AP.
  It seems that it's not possible to bridge the Vlan1 as it used for the backhaul so does it means
  that for management purpose I must use a specific Vlan-id ? And if my understanding is correct, to define this vlan-id
  as native on MAP with the Ethernet Port set as Trunk and on others switchs ( LAN side and remote-Switch).
  thks for your reply

  If you have Ethernet bridging enabled and have defined the vlan for the bridging, then the rap has to be connected to a trunk port and the traffic from the device that is connected to the MAP will egress out of the RAP's Ethernet port onto the trunk port. If you don't define and vlan for bridging then the traffic will be placed on the vlan the RAP is assigned to.
  https://supportforums.cisco.com/servlet/JiveServlet/downloadBody/21766-102-1-53166/Understanding%20mesh%20ethernet%20bridging.pptx
  https://supportforums.cisco.com/docs/DOC-21766
  Sent from Cisco Technical Support iPhone App

• About the Native Vlan and Management Vlan.

  I wanted to know that Management vlan and Native vlan can be different vlan id or  both should be same vlan id. Why should not be native vlan 1.

  The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
  It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
  Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
  Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will  send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
  a
  Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
  Hope this helps !

• WAAS VLAN - not all traffic is being forwarded to WAE

  Hi, I've configured a WAAS topology based on this Cisco document
  (http://www.cisco.com/application/pdf/en/us/guest/netsol/ns377/c649/ccmigration_09186a008081c7da.pdf)
  where the WAE's are in their own VLAN and there is a trunk between the 2 edge routers and 2 6509 switches (the WAE's connect to this switch). Both the "data" vlan and the WAAS vlan is participating in EIGRP which means that traffic is being routed over both sub-interfaces. The problems is that one of the sub-interfaces has the "ip wccp redirect exclude in" command configured so only half the traffic will be passed to the WAE's. Has anyone come across this before? Should I be removing the WAAS vlan from EIGRP and using the second interface on the WAE for management in a seperate subnet?
  interface GigabitEthernet0/0
  description Trunk link to 6500
  no ip address
  interface GigabitEthernet0/0.901
  description WAN Edge VLAN
  encapsulation dot1Q 901 native
  ip address 10.7.7.2 255.255.255.224
  ip wccp 61 redirect in
  ip wccp 62 redirect out
  interface GigabitEthernet0/0.902
  description WAAS VLAN
  encapsulation dot1Q 902
  ip address 10.7.9.1 255.255.255.240
  ip wccp redirect exclude in
  standby 1 ip 10.7.9.3
  standby 1 timers 1 3
  standby 1 priority 110
  standby 1 preempt delay minimum 1
  standby 2 ip 10.7.9.4
  standby 2 timers 1 3
  standby 2 priority 120
  standby 2 preempt delay minimum 1
  Edge_Router#sh ip ro 10.6.1.181
  Routing entry for 10.6.1.0/21
  Known via "eigrp 1", distance 90, metric 28928, type internal
  Redistributing via eigrp 9
  Last update from 10.7.7.1 on GigabitEthernet0/0.901, 08:18:01 ago
  Routing Descriptor Blocks:
  10.7.7.1, from 10.7.7.1, 08:18:01 ago, via GigabitEthernet0/0.902
  Route metric is 28928, traffic share count is 1
  Total delay is 130 microseconds, minimum bandwidth is 100000 Kbit
  Reliability 245/255, minimum MTU 1500 bytes
  Loading 12/255, Hops 3
  * 10.7.9.1.2, from 10.7.9.1.2, 08:18:01 ago, via GigabitEthernet0/0.901
  Route metric is 28928, traffic share count is 1
  Total delay is 130 microseconds, minimum bandwidth is 100000 Kbit
  Reliability 245/255, minimum MTU 1500 bytes
  Loading 12/255, Hops 3

  BRADLEY,
  In this case you should make the data VLAN passive (from an EIGRP perspective) and use the WAE VLAN as a transit between the two routers. You don't want traffic coming in from the WAE VLAN to get re-intercepted.
  Zach

• Administration port - network channel for admin traffic

  I am trying to configure a separate channel for Administration traffic on weblogic. I followed the oracle docos and configured the SSL, domain wide admin port, server listen address, ‘admin’ channel.
  The issue is admin traffic in not happening through the newly created channel.
  L2 network is not getting used. I can’t see any activity in the monitoring tab of new Channel. Also the netstat is showing that the port 9101/9102 is getting used on the 192.168.100.218 and not on 10.254.252.849.
  I also tried by setting up the newly created channel weight as 51, but no luck.
  Is JMX connectivity related to admin channel?
  Any help is highly appreciated. Thanks.
  Ipconfig:
  Admin: adminserver701.mycompany.internal, 192.168.100.238, 10.254.252.808
  Managed: appserver701.mycompany.internal, :192.168.100.218, 10.254.252.849
  Domain wide admin port: 9101
  Admin:
  Listen address –> adminserver701.mycompany.internal
  Channel –> admin -> 10.254.252.808/9101
  Startup -> -Dweblogic.admin.ListenAddress=admin://10.254.252.808:9101
  Managed:(appserver701)
  Listen address –> appserver701.mycompany.internal
  Admin port override: 9102
  Channel –> admin -> 10.254.252.849/9102
  Startup -> -Dweblogic.admin.ListenAddress=admin://10.254.252.849:9102
  AdminServer Logs:
  ####<Feb 18, 2013 1:53:33 PM EST> <Info> <JMX> <adminserver701.mycompany.internal> <soa_as> <[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159613346> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://adminserver701.mycompany.internal:9101/jndi/weblogic.management.mbeanservers.runtime .>
  ####<Feb 18, 2013 1:53:33 PM EST> <Info> <JMX> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159613353> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://adminserver701.mycompany.internal:9101/jndi/weblogic.management.mbeanservers.edit .>
  ####<Feb 18, 2013 1:53:33 PM EST> <Info> <JMX> <adminserver701.mycompany.internal> <soa_as> <[STANDBY] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159613367> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://adminserver701.mycompany.internal:9101/jndi/weblogic.management.mbeanservers.domainruntime .>
  ####<Feb 18, 2013 1:53:36 PM EST> <Notice> <Server> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159616699> <BEA-002613> <Channel "DefaultAdministration" is now listening on 192.168.100.238:9101 for protocols admin, ldaps, https.>
  ####<Feb 18, 2013 1:53:36 PM EST> <Notice> <Server> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159616700> <BEA-002613> <Channel "Channel-0" is now listening on 10.254.252.808:9101 for protocols admin, ldaps, https.>
  ####<Feb 18, 2013 1:55:12 PM EST> <Notice> <Server> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <cd259038c7dcf5a8:-26ac3ba0:13ceb6f767d:-8000-000000000000001a> <1361159712920> <BEA-002613> <Channel "Default" is now listening on 192.168.100.238:7001 for protocols iiop, t3, ldap, snmp, http.>
  ####<Feb 18, 2013 1:55:12 PM EST> <Notice> <Server> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <cd259038c7dcf5a8:-26ac3ba0:13ceb6f767d:-8000-000000000000001a> <1361159712920> <BEA-002613> <Channel "DefaultSecure" is now listening on 192.168.100.238:7002 for protocols iiops, t3s, ldaps, https.>
  ManagedServer Logs:
  ####<Feb 18, 2013 2:54:19 PM EST> <Info> <JMX> <appserver701.mycompany.internal> <adp_ms01> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361163259911> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://appserver701.mycompany.internal:9102/jndi/weblogic.management.mbeanservers.runtime .>
  ####<Feb 18, 2013 2:54:20 PM EST> <Notice> <Server> <appserver701.mycompany.internal> <adp_ms01> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361163260350> <BEA-002613> <Channel "Channel-0" is now listening on 10.254.252.849:9102 for protocols admin, CLUSTER-BROADCAST-SECURE, ldaps, https.>
  ####<Feb 18, 2013 2:54:20 PM EST> <Notice> <Server> <appserver701.mycompany.internal> <adp_ms01> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361163260350> <BEA-002613> <Channel "DefaultAdministration" is now listening on 192.168.100.218:9102 for protocols admin, CLUSTER-BROADCAST-SECURE, ldaps, https.>
  ####<Feb 18, 2013 2:54:58 PM EST> <Notice> <Server> <appserver701.mycompany.internal> <adp_ms01> <[STANDBY] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <d3208ed6c2482016:-46ac5fed:13ceba69a8e:-7ffe-000000000000000e> <1361163298045> <BEA-002613> <Channel "DefaultSecure" is now listening on 192.168.100.218:7102 for protocols iiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>
  ####<Feb 18, 2013 2:54:58 PM EST> <Notice> <Server> <appserver701.mycompany.internal> <adp_ms01> <[STANDBY] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <d3208ed6c2482016:-46ac5fed:13ceba69a8e:-7ffe-000000000000000e> <1361163298045> <BEA-002613> <Channel "Default" is now listening on 192.168.100.218:7101 for protocols iiop, t3, CLUSTER-BROADCAST, ldap, snmp, http.>
  AdminServer logs update while starting managed:
  ####<Feb 18, 2013 2:54:57 PM EST> <Info> <JMX> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <cd259038c7dcf5a8:-26ac3ba0:13ceb6f767d:-8000-0000000000000162> <1361163297488> <BEA-149506> <Established JMX Connectivity with adp_ms01 at the JMX Service URL of service: jmx:admin://appserver701.mycompany.internal:9102 /jndi/weblogic.management.mbeanservers.runtime.>
  Admin Server :
  [oracle@adminserver701 bin]$ netstat -an | grep 9101
  tcp 0 0 10.254.252.808:9101 0.0.0.0:* LISTEN
  tcp 0 0 192.168.100.238:9101 0.0.0.0:* LISTEN
  tcp 0 0 192.168.100.238:9101 192.168.100.218:59038 ESTABLISHED
  I am wondering if the JMX connectivity is using the server listen address (adminserver701.mycompany.internal) which will by default resolve to 192.168.100.238. Is there a way to force JMX to use 10.254.252.808?

  Hi
  For first question the answer is no. With the administration port, you enable the SSL between the admin server and Node manager-managed Servers. You can still use the web console.
  For teh second question, you can use ANT or can use the WLS Scripting ..you can get more details in dev2dev.bea.com
  Jin